Follow the author of this article

Follow the topics within this article

Uber has escaped a major fine over a UK customer data leak as incident happened before GDPR rules came into force.

The tech giant Uber has been fined £385,000 by the Information Commissioner’s Office (ICO) after it tried to quietly pay-off hackers who had stolen the personal details of around 2.7million UK users.

A UK law firm specialising in data breach cases said the UK fine was a “small price to pay” for one of the “worst data breaches we have seen to date”.

The figure was dwarfed by the $148m (£112m) company has agreed to pay US regulators over the major breach, which saw hackers steal the sensitive deals of 57 million Uber users and 600,000 drivers worldwide.

The discrepancy in the UK and US fines is due to the fact the ICO investigated the breach under the Data Protection Act 1998, which only allows for a maximum fine of £500,000.

The new EU-wide GDPR law, which allows the watchdog to fine companies up to €20 million (£17.7 million) or four percent of turnover, only applies to breaches that occurred after May 2018.

Chun Wong, partner at law firm Hodge Jones and Allen, said: "Uber's flagrant disregard with people's data and then attempts to cover it up signifies one of the worst data breaches we have seen to date.

"Uber will consider themselves fortunate that higher fines brought in in May this year were not in force. The fine of £385,000 seems a small price to pay and will be of little comfort to those affected."

Following its investigation, the ICO described the hack as a “serious breach” that had “the potential to expose the customers and drivers affected to increased risk of fraud”.

It also accused the taxi-hailing company of showing “complete disregard” for its customers and drivers after it failed to inform those affected by the breach and instead paid the hackers $100,000 (£78,000) to destroy the details.

Steve Eckersley, ICO Director of Investigations, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The watchdog said a series of avoidable data security flaws allowed hackers to download the sensitive details of millions of users from a cloud-based storage system operated by Uber’s parent company in October and November 2016.

The information also included the records of 82,000 drivers based in the UK and the journeys they had made.

The ICO said that those affected by the breach were not told about it until reports surfaced in the media in November last year.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack,” added Mr Eckersley.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

Following the fine, a spokesman for Uber said: “We’re pleased to close this chapter on the data incident from 2016.

“As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.

“We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer.

“We learn from our mistakes and continue our commitment to earn the trust of our users every day.”